One of the most exciting jobs in cybersecurity is that of a penetration tester. You can legally hack into production networks to find vulnerabilities, and possibly gain root, system/nt authority or DomainAdmin(DA).
This could bring up images of you running your latest exploits to pop the reverse shell, then running your most powerful priv-esc scripts and finally issuing the whoami command to reveal admin access. It’s a great job! But…
You have to now create a professional-looking report for your client. This is the final product that you sold them when you bid on the job. I will show you what clients want in reports and give you a sample of a report I created.
Penetration test reports are vital
A quick search for job postings will reveal the importance of being proficient in writing professional reports. Here are some excerpts from real job postings for a “Penetration tester”.
“Creating detailed, professional documentation/reports that clearly communicate vulnerabilities, mitigation strategies, and remediation steps.”
“Ability to support technical analysis, documenting and presenting report”
“Prepare technical documents containing information security test results analysis.”
“Develop accurate and comprehensive reports and presentations for technical and executive audiences.”
Knowing the importance of being a skilled writer, I realized that experience is the best teacher. However, unless you are performing pentests frequently, you won’t get much experience with them. This is the same paradox that people face when trying to get into the business. Skill X is required for Job A, but Skill X can only be obtained if you have worked in Job 1.
How I created my pentest reports
This type of situation can be very frustrating. You need to think creatively to gain valuable experience in the skill(s). I thought it would be a good idea to take one of Vulnhub’s vulnerable virtual machines and treat it like I was being hired to do a pentest for a company. Then, I would write a professional-looking report to the “client”.
It was a challenge because you have to write both the report for IT support staff and C-levels. You must also guide the client to the right direction about why they were at risk and what they can do about it. It is important to communicate clearly with your client the steps taken to compromise their system(s), so they can verify and understand your findings. You can find my sample report at the end of this blog.
Get my sample report
My sample report is available for download here.
I will explain how I created this video and break down what’s in it.
Resources for creating your report
GitHub is a great place to showcase your skills for potential employers. Upload PDFs of your “example” reports to show potential employers your ability to write.
There are many examples and templates for professional reports. The good news is that office productivity suites, such as Microsoft Word, provide all the tools necessary to give them that professional look.
Here are some reports I queued from…
Red Siege Sample Report
OSCP/PWK Sample Pentest Report
The cybersecurity community is also trying to establish a standard for pentest reports.
These resources should inspire you to share your own samples with the cybersecurity community.
Check out my courses on ITProTV if you are looking for security training.